Thoughts on a Let’s Encrypt docker workflow

Assuming that there is a proxy that handles a bunch of different domains.

That proxy should support Let’s Encrypt either directly (there are some haproxy images on the Hub).

Or it can be configured to redirect Let’s Encrypt challenges to the Let’s Encrypt container (described in the Forum).

Basically: Run Let’s Encrypt with ‘–standalone’. For validation, Let’s Encrypt will try to find a file on your domain (/.well-known/acme-challenge). The proxy redirects that to the container you just started (which might need to have a fixed address/ip, or the proxy needs to find it via the regular service discovery mechanism you are using).

Installing a cert

Manually.

A custom installer plugin, for Tutum for example, could use the Tutum API to redeploy the app container with a new SSL_CERT environment variable.

Renew a certificate

Let’s Encrypt certs are only valid for 3 months, so renewing is an issue.

A cronjob could re-run the above process every x months.

A Let’s Encrypt service & web ui where all the domains can be managed.